1

For a Flutter- Firebase Mobile App , is it possible to have additional checks done (while using Email/Password Auth) like appending the phone's Device ID and have it checked with the Firestore Database to ensure the Email-Device uniqueness (to prevent running same app on multiple devices with same email/password) on Signin.

Current Signin Method (https://firebase.flutter.dev/docs/auth/usage/) only accepts Email+Password and couldn't find a way to append additional user info for authentication.

signInWithEmailAndPassword() method:

try {
  UserCredential userCredential = await FirebaseAuth.instance.signInWithEmailAndPassword(
    email: "barry.allen@example.com",
    password: "SuperSecretPassword!"
  );
} on FirebaseAuthException catch (e) {
  if (e.code == 'user-not-found') {
    print('No user found for that email.');
  } else if (e.code == 'wrong-password') {
    print('Wrong password provided for that user.');
  }
}
srt111
  • 1,079
  • 11
  • 20

1 Answers1

1

Email password authentications requires email and password only for authenticating users. If you need to store any additional data then you would have to store them in either Custom Claims or any database. You can read this information as necessary. However, users can still reverse engineer the application and sign in without that additional check since Firebase requires E-Mail and Password only and it'll still work even without your additional auth extension.

Whenever a user logs in, you can check if any session for that user account exists in database and then perform relevant actions depending on if a session exists or no.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • Also check [Firebase auth login must allow single device login](https://stackoverflow.com/questions/50700724/firebase-auth-login-must-allow-single-device-login) – Dharmaraj Aug 14 '21 at 06:36
  • Thanks,CustomClaims was not mentioned in FlutterFire Docs....in the second half you mentioned ''.....since Firebase requires E-Mail and Password only and it'll still work even without your additional auth extension." Is this statement based on the above linked question or is it from personal experience? Coz I was planning to implement this and over [here](https://stackoverflow.com/questions/47751377/firebase-prevent-same-account-on-multiple-devices/47753603) it says that Device Uniqueness can be achieved with Device-Ids. – srt111 Aug 14 '21 at 09:47
  • @starzar that's a fact. Anyone can just copy the signIn method and log in to your app. I've worked on such custom auth flows with Firebase auth and in our cases we have our own layer of auth such as a custom cookie or token so we know the user has logged in through our custom auth as well and not just Firebase directly somehow. – Dharmaraj Aug 14 '21 at 09:49
  • So does that mean 'Device-Id's don't get verified', if passed as a Custom Claim along with Email+Password Auth? – srt111 Aug 14 '21 at 10:06
  • @starzar no. You manually check them after the user has logged in and then take relevant actions. – Dharmaraj Aug 14 '21 at 10:07
  • You mentioned '......implemented own layer of auth such as a custom cookie or token',is this layer via Firebase or some other way? – srt111 Aug 14 '21 at 10:09
  • 1
    @starzar it's a custom way. I cannot give the specifics but the user is authenticated by our servers and then signed in via Firebase using [Custom Tokens](https://firebase.google.com/docs/auth/admin/create-custom-tokens). So it's more of a custom auth. – Dharmaraj Aug 14 '21 at 10:11